| 1 |
I don't understand the letsencrypt certbot renewal process, specifically |
| 2 |
the hooks. |
| 3 |
|
| 4 |
I have two certificates: one for webserver, one for mailserver. I got |
| 5 |
them only very recently so I until now the renewal cronjob has always |
| 6 |
been a no-op, but the real thing will happen very soon. When it does, |
| 7 |
presumably I need to have both daemons restarted so that they read the |
| 8 |
renewed certificates. So, how do I do this? Right now my cronjob is |
| 9 |
just |
| 10 |
|
| 11 |
certbot renew -n --standalone --preferred-challenges tls-sni |
| 12 |
|
| 13 |
which should renew any and all certificates when they're "close" to |
| 14 |
expiring. But the documentation doesn't say if I can have multiple |
| 15 |
--pre-hook and --post-hook options and what the semantics would be. The |
| 16 |
closest it comes is: |
| 17 |
|
| 18 |
When renewing several certificates that have identical pre-hooks, only |
| 19 |
the first will be executed. |
| 20 |
|
| 21 |
which doesn't make any sense: what does it mean for a certificate to |
| 22 |
"have" a pre-hook? The pre-hook is just there on the command line, |
| 23 |
there is no association with a particular certificate that a machine |
| 24 |
could infer. |
| 25 |
|
| 26 |
The cop-out solution is to have a single pre-hook and a single |
| 27 |
post-hook, which stop (resp. start) both daemons, but that is ugly. How |
| 28 |
do people handle this? |
| 29 |
|
| 30 |
-- |
| 31 |
Please don't Cc: me privately on mailing lists and Usenet, |
| 32 |
if you also post the followup to the list or newsgroup. |
| 33 |
Do obvious transformation on domain to reply privately _only_ on Usenet. |
Archives